[Openstack] confused about libvirt nwfilter and iptables rules
heut2008
heut2008 at gmail.com
Tue Feb 7 02:28:42 UTC 2012
hi,all:
I am confued about how security rules works ,i read the
/nova/virt/libvirt/firewall.py and /nova/network/linux_net.py ,
my understanding is when create or change a security rule ,the process is
as below.
reuqest to nova osapi->update db for the rule->call method
trigger_security_group_rules_refresh()->rpc.cast to all reletave compute
node.
->call refresh_security_group_rules(),it seems
that refresh_security_group_rules get the rule from the db and use libvirt
to define the rules.
but how iptables are invoked to create rules "like nova-compute-inst-22".
anther question is libvirt defines nova-base-filter which allow any
packets out and drop all packets in ,but it does not used by the instance
nwfilter.
the instance nwfilter only has no-mac-spoofing
,no-arp-spoofing,no-ip-spoofing ,and allow-dhcp-server filter.
if I misunderstand some thing ,please correct me ,thks .
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20120207/0356ac22/attachment.html>
More information about the Openstack
mailing list